#!/usr/bin/env bash

# Filename     :	openvpn-2.4.12_install.sh
# Last modified:	2023-05-31 12:12
# Version      :
# Author       : jack.zang
# Email        : jack.zang@aishangwei.net
# Description  :
# 使用方法：source <(curl -sL https://gitee.com/jack_zang/public-scripts/raw/master/shell/openvpn/openvpn-2.4.12_install.sh)
# ******************************************************

echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p

#yum -y install epel-release
yum -y install openvpn easy-rsa

## 生成 CA 根证书
cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/3
cat > ./vars <<EOF
export KEY_COUNTRY="China"
export KEY_PROVINCE="HeNan"
export KEY_CITY="ZhenZhou"
export KEY_ORG="xiodi"
export KEY_EMAIL="ca@aishangwei.net"
EOF

source ./vars
./easyrsa init-pki
./easyrsa build-ca nopass

## 生成 Openvpn 服务器证书和密钥
./easyrsa build-server-full server nopass
## 生成 Diffie-Hellman 算法需要的密钥文件
./easyrsa gen-dh
## 生成 tls-auth Key，主要用来防止 Dos 和 TLS 攻击（可选）
openvpn --genkey --secret ta.key

mkdir -p /var/log/openvpn
chown openvpn:openvpn /var/log/openvpn

## 整理文件
mkdir /etc/openvpn/server/certs && cd /etc/openvpn/server/certs/
cp /etc/openvpn/easy-rsa/3/pki/{dh.pem,ca.crt} ./
cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt ./
cp /etc/openvpn/easy-rsa/3/pki/private/server.key ./
cp /etc/openvpn/easy-rsa/3/ta.key ./

## openvpn 启动配置文件
mkdir /etc/openvpn/ccd
cat > /etc/openvpn/server.conf <<EOF
port 1194
proto udp
dev tun
ca /etc/openvpn/server/certs/ca.crt
cert /etc/openvpn/server/certs/server.crt
key /etc/openvpn/server/certs/server.key
dh /etc/openvpn/server/certs/dh.pem
tls-auth /etc/openvpn/server/certs/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.31.0.0 255.255.0.0"
#push "dhcp-option DNS 192.168.10.239"
#push "dhcp-option DNS 114.114.114.114"
#route 192.168.10.0 255.255.255.0
client-config-dir ccd
client-to-client
compress lzo
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
user openvpn
group openvpn
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
verb 3
explicit-exit-notify 1
#client-config-dir /etc/openvpn/ipconfig
EOF

## 创建服务文件
cat > /usr/lib/systemd/system/openvpn@.service <<EOF
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target
EOF

## 创建用户配置文件模板
cat > /etc/openvpn/client/agent_template.ovpn <<EOF
client
proto udp
dev tun
remote 139.224.55.22 1194
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
remote-cert-tls server
persist-tun
persist-key
comp-lzo
verb 3
mute-replay-warnings
EOF

## 创建一个生成用户的脚本
cat > /etc/openvpn/client/create_user.sh <<EOF
#!/usr/bin/env bash
# Author: jackzang
# mail: jackzang@aishangwei.net
# Date: 2020/2/9

# 如果脚本执行报错，则停止
set -e

# 配置目录
USER_KEYS_DIR=/etc/openvpn/client/keys
EASY_RSA_VER=3
EASY_RSA_DIR=/etc/openvpn/easy-rsa
PKI_DIR=\${EASY_RSA_DIR}/\${EASY_RSA_VER}/pki

# 安装 zip
rpm -qa|grep ^zip || yum -y install zip

# 循环创建多个用户
for user in "\$@"
do
  # 如果用户已存在，跳出本次循环
  if -d \${USER_KEYS_DIR}/\${user} ; then
    echo "[Warning] \$user already exists!"
    break
  fi
  # 创建用户
  cd \${EASY_RSA_DIR}/\${EASY_RSA_VER}
  ./easyrsa build-client-full \${user} nopass
  mkdir -p \${USER_KEYS_DIR}/\${user}
  cp \${PKI_DIR}/ca.crt \${USER_KEYS_DIR}/\${user}
  cp \${PKI_DIR}/issued/\${user}.crt \${USER_KEYS_DIR}/\${user}
  cp \${PKI_DIR}/private/\${user}.key \${USER_KEYS_DIR}/\${user}
  cp /etc/openvpn/client/agent_template.ovpn \${USER_KEYS_DIR}/\${user}/\${user}.ovpn
  sed -i "s/user/\${user}/g" \${USER_KEYS_DIR}/\${user}/\${user}.ovpn
  cp /etc/openvpn/server/certs/ta.key \${USER_KEYS_DIR}/\${user}/ta.key
  # 打包用户文件
  cd \${USER_KEYS_DIR}
  zip -r \${user}.zip \${user}
done
exit 0
EOF

## 授予执行权限
chmod +x /etc/openvpn/client/create_user.sh

## 创建用户
#/etc/openvpn/client/create_user.sh username
#tree /etc/openvpn/client/keys/*



























